Dependabot Vulnerabilities Resolution Plan

Documentation Index

Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt

Use this file to discover all available pages before exploring further.

​

Current status (2026-04-09)

• Root: vite bumped to ^8.0.5 (lockfile resolves e.g. 8.0.8); defu pinned via overrides.defu: ^6.1.5; vite-plugin-pwa override uses vite: ^8.0.5. npm audit → 0 vulnerabilities.
• packages/docs: markdownlint-cli bumped; overrides added/updated for lodash, lodash-es, node-forge, brace-expansion, serialize-javascript (≥7.0.5), smol-toml, express→path-to-regexp, picomatch (with tinyglobby nested for 4.x). npm audit in packages/docs → 0 vulnerabilities.
• Verification: npm run typecheck and npm run build succeed at repo root. Full npm run validate may still fail if Biome format:check has unrelated drift. Docusaurus npm run build may still fail on pre-existing broken links (see prior docs audit notes)—not introduced by dependency changes.
• GitHub Dependabot alerts: Re-check after merge to default branch with gh api "/repos/OWNER/REPO/dependabot/alerts?state=open&per_page=100" --jq length (expect 0 when GitHub rescans the default branch).

​

Executive Summary

​

Vulnerabilities Identified

​

High Severity (2 unique, multiple instances)

​

1. jsPDF (Direct Dependency)

• Current Version: 4.1.0
• Required Version: ≥4.2.0
• Vulnerabilities:
  • GHSA-p5xg-68wr-hm3m: PDF Injection in AcroForm module allows Arbitrary JavaScript Execution
  • GHSA-9vjf-qc39-jprp: PDF Object Injection via Unsanitized Input in addJS Method
  • GHSA-67pg-wm7f-q7fj: Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions
• CVSS Score: 8.1 (High)
• Fix: Update jspdf in package.json from ^4.0.0 to ^4.2.0

​

2. minimatch (Transitive Dependencies)

• Affected Versions: ≤3.1.2 || 5.0.0-5.1.6 || 9.0.0-9.0.5 || 10.0.0-10.2.0
• Required Versions: ≥3.1.3 || ≥5.1.7 || ≥9.0.6 || ≥10.2.1
• Vulnerability: GHSA-3ppc-4f35-3m26: ReDoS via repeated wildcards with non-matching literal in pattern
• Instances Found:
  • minimatch@3.1.2 (multiple instances via eslint, glob, @eslint/eslintrc, etc.)
  • minimatch@5.1.6 (via filelist, readdir-glob)
  • minimatch@9.0.5 (via @typescript-eslint/typescript-estree, @sentry/bundler-plugin-core)
  • minimatch@10.1.1 (via glob)
• Fix: Run npm audit fix to update transitive dependencies

​

Moderate Severity (2 unique, multiple instances)

​

3. ajv (Transitive Dependencies)

• Affected Versions: <6.14.0 || ≥7.0.0-alpha.0 <8.18.0
• Required Versions: ≥6.14.0 || ≥8.18.0
• Vulnerability: GHSA-2g4f-4pwh-qvx6: ReDoS when using $data option
• Instances Found:
  • ajv@6.12.6 (via @eslint/eslintrc, eslint)
  • ajv@8.17.1 (via workbox-build)
• Fix: Run npm audit fix to update transitive dependencies

​

4. markdown-it (Transitive Dependency)

• Current Version: 14.1.0
• Required Version: ≥14.1.1
• Vulnerability: GHSA-38c4-r59v-3vqw: Regular Expression Denial of Service (ReDoS)
• CVSS Score: 5.3 (Moderate)
• Dependency Path: prosemirror-markdown → markdown-it
• Fix: Run npm audit fix to update transitive dependency

​

Resolution Plan

​

Phase 1: Direct Dependency Updates (Manual)

1. Update jsPDF
   npm install jspdf@^4.2.0
   
   • This is a direct dependency, so manual update is required
   • Verify no breaking changes in jsPDF 4.2.0 release notes
   • Test PDF generation functionality after update

​

Phase 2: Transitive Dependency Updates (Automated)

2. Run npm audit fix
   npm audit fix
   
   • This will automatically update vulnerable transitive dependencies
   • Updates minimatch, ajv, and markdown-it to secure versions
   • May add new packages (balanced-match, brace-expansion) as dependencies
3. Verify fixes applied
   npm audit
   
   • Should show 0 vulnerabilities after fixes
   • If vulnerabilities remain, document which ones and why

​

Phase 3: Testing & Validation

4. Run full test suite
   npm run validate
   
   • Ensures no breaking changes from dependency updates
   • Includes format check, typecheck, lint, and build
5. Run unit and integration tests
   npm run test
   npm run test:integration
   
6. Test PDF generation functionality
   • Verify jsPDF 4.2.0 works correctly with existing code
   • Test form-to-PDF features (if applicable)
   • Check for any API changes in jsPDF
7. Run E2E smoke tests
   npm run test:e2e:smoke
   

​

Phase 4: Documentation & Monitoring

8. Update package-lock.json
   • Ensure package-lock.json is committed with updates
   • Verify all changes are tracked in git
9. Monitor for new vulnerabilities
   • Ensure Dependabot alerts are enabled: see DEPENDABOT_SETUP.md.
   • This repo uses .github/dependabot.yml for version and security update PRs.
   • Consider adding npm audit to CI pipeline as a check.

​

Implementation Steps

​

Step 1: Create feature branch

git checkout -b cursor/dependabot-vulnerabilities-review-ad2a

​

Step 2: Update jsPDF (Direct dependency)

npm install jspdf@^4.2.0

​

Step 3: Run automated fixes

npm audit fix

​

Step 4: Verify no remaining vulnerabilities

npm audit

​

Step 5: Test the application

npm run validate
npm run test
npm run test:integration

​

Step 6: Commit changes

git add package.json package-lock.json
git commit -m "security: fix Dependabot vulnerabilities

- Update jspdf 4.1.0 → 4.2.0 (fixes 3 high severity PDF injection vulnerabilities)
- Update minimatch to secure versions (fixes ReDoS vulnerabilities)
- Update ajv to secure versions (fixes ReDoS vulnerability)
- Update markdown-it 14.1.0 → 14.1.1 (fixes ReDoS vulnerability)

Resolves 38 Dependabot alerts (4 unique vulnerabilities)"

​

Step 7: Push and create PR

git push -u origin cursor/dependabot-vulnerabilities-review-ad2a

​

Risk Assessment

​

Low Risk

• ajv, markdown-it, minimatch updates: These are transitive dependencies with patch/minor version updates. Low risk of breaking changes.

​

Medium Risk

• jsPDF 4.1.0 → 4.2.0: Patch version update, but PDF generation is critical functionality. Requires thorough testing.

​

Mitigation

• All updates are patch/minor versions (semver compatible)
• Run full test suite before merging
• Test PDF generation functionality specifically
• Monitor for any runtime issues after deployment

​

Verification Checklist

• jsPDF updated to ≥4.2.0
• npm audit shows 0 vulnerabilities
• All tests pass (npm run validate)
• Unit tests pass
• Integration tests pass
• E2E smoke tests pass
• PDF generation tested and working
• No breaking changes identified
• package-lock.json committed
• Changes reviewed and approved

​

Long-term Recommendations

1. Add npm audit to CI pipeline
   • Add npm audit --audit-level=moderate as a CI check
   • Fail builds on high/critical vulnerabilities
2. Enable Dependabot version and security updates
   • This repo uses .github/dependabot.yml for weekly version updates and security update PRs.
   • Enable Dependabot alerts and Dependabot security updates in GitHub: Repo Settings → Security → Code security and analysis. See DEPENDABOT_SETUP.md.
   • Review and merge security updates promptly.
3. Regular dependency audits
   • Schedule monthly dependency reviews
   • Use npm outdated to identify stale dependencies
4. Dependency pinning strategy
   • Consider pinning critical dependencies to exact versions
   • Use npm audit fix regularly in development workflow

​

References

• jsPDF Security Advisories
• npm audit documentation
• Dependabot documentation
• GitHub Security Advisories

​

Notes

• The 38 vulnerabilities reported by Dependabot represent multiple instances of the same 4 unique vulnerabilities across the dependency tree
• All vulnerabilities have fixes available via npm audit fix or manual package updates
• No critical severity vulnerabilities were found
• All fixes are backward-compatible (patch/minor updates)